[Bug 2031942] Re: AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set

Andreas Hasenack 2031942 at bugs.launchpad.net
Wed Sep 6 17:21:01 UTC 2023 

** Description changed:

  [Impact]
  
- * User of openssh reported an issue that affects Lunar and Jammy.
+ User of openssh reported an issue that affects Lunar and Jammy.
  
- * This crash is caused by the wrong pointer manipulation in the if
- statement. The fix is to change the code to check if the value pointed
- to by the pointer 'charptr' is NULL.
+ If AuthorizedKeysCommand is set, an AuthorizedPrincipalsCommand
+ configuration in sshd_config that comes after it is ignored. In this
+ scenario, where AuthorizedPrincipalsCommand is needed and set, users
+ relying on ssh certificates for authentication will be denied access.
  
  [Test Plan]
  
  Launch container:
  $ lxc launch ubuntu:jammy <container-name>
  
  Shell into that container:
  $ lxc shell <container-name>
  
  Create the main directory for our task (e.g. “reproducer”)
  # mkdir reproducer
  
  Go to that directory:
  # cd reproducer
  
  Create 2 more dirs that reflect users:
  # mkdir certuser keyonlyuser
  
  Go to the keyonlyuser:
  # cd keyonlyuser
  
  Do:
  # ssh-keygen -t ed25519 -f key
  
  Go to the certuser:
  # cd /root/reproducer/certuser/
  
  Do:
  # ssh-keygen -t rsa -f ca
  # ssh-keygen -t ed25519 -f key
  # ssh-keygen -s ca -I key_id -n certuser key.pub
  
  Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
  #!/bin/sh
  if [ "$1" = "otheruser" ]; then
  echo certuser
  fi
  
  Exit the file.
  
  Ensure you are in the /root/reproducer/ directory:
  # adduser --disabled-password otheruser
  (Enter multiple times, leave all fields blank)
  
  Then do the same for another user:
  # adduser --disabled-password keyonlyuser
  
  Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
  #!/bin/sh
  if [ "$1" = "keyonlyuser" ]; then
  echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
  fi
  
  Go to the /etc/ssh/sshd_config file.
  Add at the top:
  
  AuthorizedKeysCommand /root/reproducer/authorized_keys %u
  AuthorizedKeysCommandUser root
  
  AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
  AuthorizedPrincipalsCommandUser root
  
  TrustedUserCAKeys /root/reproducer/certuser/ca.pub
  
  Exit from the file and restart the ssh service:
  # systemctl restart ssh
  
  Use these commands to manifest the bug:
  
  # ssh keyonlyuser at localhost -i /root/reproducer/keyonlyuser/key
  
  # ssh otheruser at localhost -i /root/reproducer/certuser/key -o
  CertificateFile=/root/reproducer/certuser/key-cert.pub
  
  Expected results: both ssh commands should succeed.
  
  Actual results:  the second ssh fails because the
  AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set.
  
  [Where problems could occur]
  
  * The patch itself modifies only the servconf.c, so regressions should
  be limited to the server configuration.
  
  * Since the fix touches pointers, there might be regression related to
  memory handling and fetching data.
  
  ---------------------------------original
  report--------------------------
  
  Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:
  
                  if (*activep && options->authorized_keys_command == NULL)
                          *charptr = xstrdup(str + len);
  
  However, this is executed for both authorized_keys_command and
  authorized_principals_command. As a result, if authorized_keys_command
  is set (for instance, if using ec2-instance-connect), any
  AuthorizedPrincipalsCommand configuration in sshd_config is ignored.
  This is fixed in 9.4p1 with the attached patch.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2031942

Title:
  AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is set

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Jammy:
  In Progress
Status in openssh source package in Lunar:
  Fix Committed
Status in openssh source package in Mantic:
  Fix Released

Bug description:
  [Impact]

  User of openssh reported an issue that affects Lunar and Jammy.

  If AuthorizedKeysCommand is set, an AuthorizedPrincipalsCommand
  configuration in sshd_config that comes after it is ignored. In this
  scenario, where AuthorizedPrincipalsCommand is needed and set, users
  relying on ssh certificates for authentication will be denied access.

  [Test Plan]

  Launch container:
  $ lxc launch ubuntu:jammy <container-name>

  Shell into that container:
  $ lxc shell <container-name>

  Create the main directory for our task (e.g. “reproducer”)
  # mkdir reproducer

  Go to that directory:
  # cd reproducer

  Create 2 more dirs that reflect users:
  # mkdir certuser keyonlyuser

  Go to the keyonlyuser:
  # cd keyonlyuser

  Do:
  # ssh-keygen -t ed25519 -f key

  Go to the certuser:
  # cd /root/reproducer/certuser/

  Do:
  # ssh-keygen -t rsa -f ca
  # ssh-keygen -t ed25519 -f key
  # ssh-keygen -s ca -I key_id -n certuser key.pub

  Create a script '/root/reproducer/authorized_principals' with permissions 755 as follows:
  #!/bin/sh
  if [ "$1" = "otheruser" ]; then
  echo certuser
  fi

  Exit the file.

  Ensure you are in the /root/reproducer/ directory:
  # adduser --disabled-password otheruser
  (Enter multiple times, leave all fields blank)

  Then do the same for another user:
  # adduser --disabled-password keyonlyuser

  Create a script '/root/reproducer/authorized_keys' with permissions 755 as follows:
  #!/bin/sh
  if [ "$1" = "keyonlyuser" ]; then
  echo <key.pub from keyonlyuser e.g. ssh-ed25519 AAAdjakdjaskdajd>
  fi

  Go to the /etc/ssh/sshd_config file.
  Add at the top:

  AuthorizedKeysCommand /root/reproducer/authorized_keys %u
  AuthorizedKeysCommandUser root

  AuthorizedPrincipalsCommand /root/reproducer/authorized_principals %u
  AuthorizedPrincipalsCommandUser root

  TrustedUserCAKeys /root/reproducer/certuser/ca.pub

  Exit from the file and restart the ssh service:
  # systemctl restart ssh

  Use these commands to manifest the bug:

  # ssh keyonlyuser at localhost -i /root/reproducer/keyonlyuser/key

  # ssh otheruser at localhost -i /root/reproducer/certuser/key -o
  CertificateFile=/root/reproducer/certuser/key-cert.pub

  Expected results: both ssh commands should succeed.

  Actual results:  the second ssh fails because the
  AuthorizedPrincipalsCommand is ignored if AuthorizedKeysCommand is
  set.

  [Where problems could occur]

  * The patch itself modifies only the servconf.c, so regressions should
  be limited to the server configuration.

  * Since the fix touches pointers, there might be regression related to
  memory handling and fetching data.

  ---------------------------------original
  report--------------------------

  Versions of OpenSSH from 8.7p1 to 9.3p1 contain the following code:

                  if (*activep && options->authorized_keys_command == NULL)
                          *charptr = xstrdup(str + len);

  However, this is executed for both authorized_keys_command and
  authorized_principals_command. As a result, if authorized_keys_command
  is set (for instance, if using ec2-instance-connect), any
  AuthorizedPrincipalsCommand configuration in sshd_config is ignored.
  This is fixed in 9.4p1 with the attached patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942/+subscriptions

More information about the foundations-bugs mailing list